New Destructive Malware Bricks IoT Devices

There's a new malware called BrickerBot that permanently disables vulnerable IoT devices by corrupting their storage capability and reconfiguring kernel parameters. Right now, it targets devices with open Telnet ports, but we should assume that future versions will have other infection mechanisms.

Slashdot thread.

Posted on April 11, 2017 at 8:22 AM • 43 Comments

Comments

wumpusApril 11, 2017 8:55 AM

Slashdot comments are pointing out that European and Australian owners can simply return such products as the defective examples they are. Americans would be wise to make sure any IoT items they buy should be on sale in such places.

Of course if you cared enough to check, you wouldn't be buying an IoT.

PaulApril 11, 2017 8:56 AM

You have commented in the past that poor security is often a negative externality, and the situation will not improve until something changes in the economic analysis for the manufacturers of insecure things.

Brickerbot sounds like a way of making that externality a direct cost for the manufacturers because any manufacturer selling something insecure will be driven to bankruptcy by the warrenty returns and bad reviews ("I plugged it in, and it only worked for 30 minutes. Total rubbish. Would not buy again!").

If so, shouldn't this be encouraged?

duncanApril 11, 2017 9:12 AM

It may be stretch to call this "permanent". It overwrites the storage but does nothing to damage the hardware. If it overclocked/overvolted the CPU until it died, *that* would be permanent.

I don't see much detail on what's needed to recover. Can you just TFTP a new firmware (see openwrt instructions)? If you need to solder something or set up a JTAG, "permanent" is more applicable. (Still, that's more like bad HW/SW design. If malware just wiped a PC's hard drive it wouldn't be hard to recover.)

ShieldCurveApril 11, 2017 9:28 AM

I don't see much detail on what's needed to recover. Can you just TFTP a new firmware (see openwrt instructions)? If you need to solder something or set up a JTAG, "permanent" is more applicable.

I imagine that they are recoverable by one of the methods you mentioned. However, these methods are far beyond the technical ability of the vast majority of users. To them, the device simply stopped working. They don't consider that its software was probably corrupted and needs to be (re)loaded.

On that subject, I've found that many IoT devices are easily factory reset if you have network connectivity to them. I had a few security cameras I inherited of different models/brands—Axis, Bosch, and Sony if I remember correctly—that I didn't know the password to. Each of the manufacturers had a utility that replaced the firmware on the device over the network and restored factory settings.

InBeforeRussianTrollsApril 11, 2017 10:34 AM

This is not malware! It's a public service. More of this, please.

MrCApril 11, 2017 10:47 AM

My sentiments are largely in line with Paul, InBeforeRussianTrolls, and the bulk of the slashdot comments -- this is a vigilante public service that solves the externality problem with insecure, unsecurable IoT crap.

Who?April 11, 2017 10:56 AM

@ duncan

It depends.

- does the manufacturer provide full OS images to reflash the device? only incremental ones? does the manufacturer provides some sort of updates at all?

- does the device boot from a ROM, an image stored on a different flash chip or a partition that remains unmodified? is the boot image damaged too?

In the best case you can boot from the "factory image" (whatever it is called in the IoT world) and reflash the device; in a worse case you need to flash the operating system from another computer; in the worst case you do not have access to a full image to be flashed. (and my point is that the best case implies you are knowledgeable in computers.)

...in any case allow me to be politically incorrect, I would call BrickerBot "goodware."

duncanApril 11, 2017 11:37 AM

I imagine that they are recoverable by one of the methods you mentioned. However, these methods are far beyond the technical ability of the vast majority of users.

If TFTP, someone could write an easy-to-use program to reflash these with a *secure* image. This would make it a major temporary annoyance to the users rather than a permanent bricking. And we'd end up with a better internet. (I don't exactly approve, but it's like those sirens in Dallas: if nobody went for the big attack, it would remain "purely hypothetical" and nothing would ever be done.)

MrCApril 11, 2017 1:20 PM

@TimH.

Sure it does. The customer now bears the consequences of purchasing a device with shit security. Externality internalized.

albertApril 11, 2017 1:28 PM

Using botware techniques to fight botware is very clever indeed. I never would have thought of it*, though it's a bit like attacking a fly with a shotgun.

It's highly unlikely that folks with the expertise to mitigate the damage would operate devices with default passwords in the first place.

Publicizing the attacks might encourage more folks to get involved, and perhaps manufacturers (those still in business) will take notice.

----------
* probably 'cause I'm such a nice guy.
. .. . .. --- ....

My InfoApril 11, 2017 1:58 PM

@duncan

Can you just TFTP a new firmware ... solder something or set up a JTAG ???

It's bricked. That's the way they made it.

At this point in time, I am welcoming the malware that "bricks" those useless devices rather than silently turns them into remotely accessible surveillance devices for organized criminal cartels.

At the same time, I am condemning the manufacturers of these Trojan horse IoT devices which are intended no doubt to serve some minor but vital and irreplaceable function, probably to be required by building codes in modern homes. Like light bulbs, for example. Haven't you heard of the light bulb cartel?

Just like George Orwell, 1984. Turn it into a surveillance device, and then require people to use it.

albertApril 11, 2017 4:54 PM

@Tom Kenney,

Perhaps, but that's legal:)

Could this be the beginning of the Botnet Wars?

Interesting, or cool, depending upon ones perspective...

. .. . .. --- ....

boogApril 11, 2017 6:09 PM

...shouldn't this be encouraged?
More of this, please.
...this is a vigilante public service...
...I would call BrickerBot "goodware."
I mean, as long as nobody gets hurt or dies, right?

Because let's be honest who the real victims are here: the consumers, not the manufacturers.

rApril 11, 2017 6:30 PM

@albert,

Don't discredit the honeypot (experts operating defaultly (or easily guessed) passworded devices.

HermanApril 12, 2017 2:54 AM

Well, millions of viruses and other malware still didn't stop people from buying Microsoft Windows products and didn't inspire Microsoft to write significantly better software.

Therefore I predict that absolutely nothing will change and the IoJ (Internet of Junk) device manufacturers will carry on as before and churn out millions more junk devices.

rApril 12, 2017 4:22 AM

@Herman, Larry,

Gee, how many seats does that bus you two are riding have in at?

Are there any more seats available for your trip to Point Nowhere?

While Microsoft Windows can't be claimed to be the most secure certainly following the proper upgrade paths is far smarter for those who can than those who are still willingly (not forcibly) stuck with or on 9x or XP.

Mitigation[s] are not complete granted, but they are neither news nor news dear Trolls.

Clive RobinsonApril 12, 2017 6:31 AM

@ Paul, InBeforeRussianTrolls, MrC, Who?, Kyle Rose,

If so, shouldn't this be encouraged?

Firstly, vigilante behaviour like warfare against civilians is rarely a good idea. Because you have to consider the actual damage done not just to the immediate point of a "strike", but also to the local area surround it and to the psychological effect it has on those who are hit by the strikes.

Secondly, such an attack is ripe for an unthinking knee jerk reaction from those who legislate. Based on what has happened in the past the US and other countries will enact a very broad scale legislation that will automatically sweep in legitimate researchers. It will in effect as similar legislation has done in the past protect home manufacturers not customers by limiting research. It also will in all probability include "a few little extras" directly or indirectly that will give increased over-reach to the likes of the NSA and FBI.

@ All,

But even though it might appear to be vigilantism, you should not rule out the possibility that it was actually an "Industry Insider Attack" to clear the field of opponents products or even a Nation State doing likewise.

As others have noted even though the hardware is not damaged, the cost of "returns" is way to high. As I've pointed out a few times before on this blog Fast Moving Consumer Electronics (FMCE) is a cut throat business with very small profit per item, where the cost of "transport" to "rework" would be considerably larger. Thus a company could be effectively destroyed by such an attack. Which thus brings up the question of "National Security" which is potentially a cause to take an overly broad counter reaction which would not be good.

Dirk PraetApril 12, 2017 9:10 AM

@ Clive

Secondly, such an attack is ripe for an unthinking knee jerk reaction from those who legislate.

Though I agree that condoning or even encouraging this type of actions can rapidly turn into a very slippery slope - including politicians as usual siding with whomever fills their pockets most - the question from a security vantage remains what is worse: a vigilante or competitor knocking out horribly insecure devices, or quietly allowing said devices to be turned into zombies used against their owners and the rest of the world.

For cars, planes and pretty much everything else, there are safety and security regulations they have to comply with. There is no reason whatsoever why it shouldn't be the same for IoT devices. Any politician claiming otherwise should be publicly crucified (or hung, if you're a Ken Livingstone supporter). If you buy a new (or even used) car, it needs to be up to specs. If it isn't, it will be taken off the road until it is, and depending which jurisdiction you're in you can either sue the vendor or blame yourself for lack of due diligence. Over here, you can even get fined for leaving your car on the street unlocked, or ostensibly leaving valuables in it. And which actually works in preventing break-ins and theft.

So absent any adequate regulation, I am for now more or less OK with such interesting proof of concepts that can only fuel a much needed public and political debate on the issue.

CallMeLateForSupperApril 12, 2017 9:29 AM

@Clive @All
"Fast Moving Consumer Electronics (FMCE) is a cut throat business with very small profit per item, where the cost of "transport" to "rework" would be considerably larger. Thus a company could be effectively destroyed by such an attack."

True; no question. Let us not forget or gloss over a very common and very powerful DISincentive for consumers to "return for repair or replacement": the costs that fall on the consumer for said return, costs that can approximate or even exceed the price of buying new. Above all, this kind of policy is no incentive for companies to do better.

Do I really want to pack up the item, schlepp it to a shipper, pay for shipment, include payment for return shipping and then wait "four to six weeks"? Or would I rather just drop the item in the trash, buy a new one at the minimall and get on with life?

albertApril 12, 2017 11:08 AM

@Clive,

"...Thus a company could be effectively destroyed by such an attack..."

Which is precisely the point. Somewhat regulated industries feel the pain when they put out junk products; either through fines, loss of business, or class action lawsuits. Brickbots skip all the formalities and go right to the core of the problem. Nothing is being done about IoT vulnerabilities now, so why is this different? It's a correctable problem that makers have no intention of fixing.

Karma's a bitch.

@CallMeLateForSupper,
"..buy a new one at the minimall and get on with life..." Why would you do that? Would you expect a different result?

@Anyone,

I wouldn't worry about a broad overreaction by the gov't. Only major manufacturers have that kind of power.

It's funny, but this situation simulates a true free market system, where the makers of garbage go out of business.

Good riddance!

. .. . .. --- ....

Clive RobinsonApril 12, 2017 12:08 PM

@ Dirk Praet,

... the question from a security vantage remains what is worse: a vigilante or competitor knocking out horribly insecure devices, or quietly allowing said devices to be turned into zombies used against their owners and the rest of the world.

Whilst such devices are a considerable nuisance, bricking them is not the way to go, for not just the reasons I mentioned above. In the EU for instance there is consumer protection legislation, whereby the owner of a product can return it if it is sold "not fit for purpose". However this becomes problematical if the product has been "modified" in any way. The question would thus become an awkward decision for any arbiter to make (it's in part the reason MS has not been sued into bankruptcy). That is did the product fail because of poor design or the actions of an unknown third party (think of it as arguing a car manufacture was deficient in their design because somebody cut the brake lines). You would get to the point where you would ask was the unit functioning to a reasonable specification before the intervention of a third party? Arguably each affected product was working as well as it's competitors at the same price point, in fact it could be argued that the purchaser was deficient in not seting up the device correctly (if it was possible to overwrite the default passwords or disable them or the service). Part of this is due to the likes of ISPs and the home routers they supply, which are mainly stock items that have been re-badged for the ISP. Part of an ISPs purchase decisions is "tech support" and "remote test", they effectivly demand master passwords that can not be easily disabled (if at all) as part of the bulk purchase decision/contract (I know this from having designed FMCE for a number of major EU telcos). The point is that like GPS in mobile phones, once somebody with clout says "this is a requirment" the manufacturer due to production costs will inflict it on all products of that model of PCB irrespective of case or badge. That is the way of the world with FMCE and it's not going to change unless some one with more clout such as legislators etc make it that way.

This problem swings both ways, if you think back to the FCC ruling on ISM and similar radio equipment about not allowing users of all levels to "change frequency or power output". There were good and sufficient reasons for the FCC to do so, but in the process it hurt those with the technical skills to reflash WiFi APs/Routers. Worse it made it a "world change" under the "one standard part" methodology of FMCE.

Whilst vigilante behaviour might be seen as a fast solution to the nuisance issue, it is without doubt an illegal act.

But the reality is it won't change things except for a few days. People that have been effected will go out and by a replacment product in a very short period of time. Two things we know will happen. Firstly supply and demand will significantly "up the prices" at some point in the supply chain. Secondly the only product that will be available will be other defective units and the purchasers by and large will not care because when they get it home it will work just as they did prior to getting hit by the bot-net.

The real solution to the problem in the short term is for ISPs to "block" inbound traffic on those ports... Which almost certainly means it will be a "universal block" on all an ISPs customers, and to get funcrionality back on those port numbers will of course be seen as an issue to extract more money out of individuals, because it's in effect "money for nothing" or atleas very little effort...

Whatever happens it's ordinary customers that will be hurt and made to pay through the nose one way or another. The only question is which customers will be hit the hardest.

Further there is a psychological issue, people will suffer an altered perception of the Internet. Whilst some say this would be a good thing if it makes them more security proactive, this is problematical. Most users lack the knowledge to set up systems properly and for various reasons will be incapable of doing so indefinitely. It's not as simple as stoping your car being an "attractive nuisance" by "puting valuables out of sight and locking doors" etc. If legislators wave a stick in future you will not be able to buy a home router that is of any real use as it will be totally locked down for just baaic services. What this might do for IoT is effectively cause it to be "killed at birth", thus critically effecting various economies in various parts of the world. The thing is the jobs that will be lost will have ramifications (see what happened with the joint ventures between North and South Korea).

The whole issue is a mess from start to finish and those who setup this attack realy did not think things through. No I do not know if that is due to stupidity or lack of world experiance, but I see the chance of something good comming out of this as extremely small, whilst I see the opportunity of harm to be high.

Clive RobinsonApril 12, 2017 1:40 PM

@ Albert, ALL,

Nothing is being done about IoT vulnerabilities now, so why is this different?

It's very far from just being IoT which is still the new kid on the block as far as these problems are concerned.

As I mentioned above one aspect is ISPs and their "Tech Support / Test" issues. Thus you might find this of interest, because it explains one of the problem areas that gave rise to Algeria being a major source of hacking wordpress sites (India and the Philippines being just two more),

https://boingboing.net/2017/04/12/port-7547.html

As for,

It's a correctable problem that makers have no intention of fixing.

Whilst that is true, there is quite a difference between PC systems where software patches come out almost as fast as bullets out of a mini-gun and embedded systems where patches are seldom if never for various reasons.

Often the software is "Open Source" and actually based around Linux or BSD these days due to the relatively cheap price of ARM based SoCs. You only have to read the carping and bitching over mobile phones, tablets and similar that run Android to see that it is very far from being just an IoT problem.

And the reason the problem exists has "complex business" causes but "simple feet on the ground" issues. FOSS is like nearly all other PC based software, overly complex and riddled with attack vectors most of which have yet to become "zero days". The complexity is due mainly to "perceived" rather than "actual" user needs and "code cutter machismo". With such software containg thousands to millions of actual lines of code[1] in each program it's beyond even the largest of companies to keep up with (think how the likes of Oracle, Adobe, and even Google and RedHat are in that they are,more reactive than pro-active).

Companies producing embedded systems don't usually develop the OS or programs, they either get them as a package, sourced from "chip manufactures" or occasionaly bought in. Their own internal teams are often not much more than "configuration jockeys" following SoC application notes and refrence designs. With any programers effectively devoted to "value added" products that many of us regard as "intrusion/instrumentation ware".

This is the expected result of "race for the bottom" "free market" behaviour, for which we should all know and accept can only change with "market regulation" as those with commercial clout care not two broken cents to change things. Even if most of the "market producers" went out of business this would in no way change, because that is the "pragmatic" way of the world. Which is something few idealists be they economic, market or democratic liberals will accept are the realities of life and unregulated markets. In the main as they have "no skin in the game" they can make their pronouncments right or wrong without any real risk or loss.

As the old saying has it "You get what you pay for", and nobody appart from a few idealists want to pay the price that even moderate security would cost. The embbeded FMCE market is not going to change unless it is forced to, and since neither individual customers or corporate customers want to pay anything more than the minimum they can get away with the will get what they pay for. The only other people with sufficient clout to change the embbeded FMCE market is legislators and the regulators they create setting standards and test criteria which as others have noted in the past will kill most FOSS deader than a fossilized sea mollusc.

[1] By actual lines of code I mean not just what the code cutter put in his program but all the lines of code in libraries etc as well. As well as the effective lines of code that come out of not at all robust tool chains.

My InfoApril 12, 2017 3:13 PM

Re: implied warranty of fitness for a particular purpose.

The truth of this matter is that we (all of humanity collectively) are simply unable at the present time to develop software up to such a warrantable standard. It is extremely important to take this lack of warranty to heart and when we buy or use any software at all, proprietary or open source, to realize that it is at our own risk for whatever we are able to accomplish (or not, as the case may be) with the software.

There have been some scattered movements from time to time toward "high assurance," but these have been continually discouraged and set back by the Mafia, NSA, CIA, and FBI, who all demand arbitrary access to our personal computers for various criminal, legal, political, or military reasons.

SteveApril 12, 2017 7:05 PM

One might argue that many IoT devices are useless by default, straight out of the box.

Martin SpamerApril 13, 2017 3:30 AM

Change the default password, one of the oldest pieces of advice for security of devices. This blog shows the importance of this advice with IoT devices.

Today we see this advice is relevant Digital Assistants with a TV advert using the activation phrase to trigger Goggle Home (1).

The ongoing theme is that this an important lesson that must be integrated into all emergent technology going forward. Authorisation needs to be built designed in.

Today we also learn that Elon Musk is funding the development of Neural Laces, digital to neural interfaces. While these are clearly some way off, we need to push to see security is integrated into these by design from day one.

1) https://www.bloomberg.com/news/articles/2017-04-12/burger-king-ad-threatens-to-renew-debate-over-voice-devices
2) http://uk.businessinsider.com/elon-musk-neuralink-connect-brains-computer-neural-lace-2017-3?r=US&IR=T

Clive RobinsonApril 13, 2017 5:51 AM

@ Martin Spamer,

If you look back on this blog, people wondered after the "Alexa order" TV news issue if others would take advantage ot it.

And low and behold a burger flipper chain is first out of the gate. Hopefully they will make a right "pattie" of themselves.

Oh a friendly word you might want to think about choping out the first few lines of your CV in the web accessable version.

Dirk PraetApril 13, 2017 8:45 AM

@ Clive

Whilst such devices are a considerable nuisance, bricking them is not the way to go, for not just the reasons I mentioned above.

While from a rational angle I cannot find flaw with any of your arguments - quite to the contrary -, my gut feeling is still telling me we're trapped in a "damned if you do, damned if you don't" scenario. Which never sits quite well with me, hence my not even thinly veiled sympathy for such vigilante initiatives (however illegal they may be).

Everyone even remotely knowledgeable about the subject matter knows that this entire IoT affair from a security vantage is a disaster in the making. Appropriate regulation IMO is the only way forward, but we all know how that usually goes, i.e. draconian overreach as soon as the dung hits the fan. In essence, I couldn't care less about particularly bad offenders going bust, even when it costs jobs, leaves unwitting customers with terminally broken and unsupported products, or when prices go up to meet a number of minimum specifications. When you buy a cheap cr*p car from a dodgy company in Kazakhstan, don't be surprised either when suddenly it blows up in your face, is taken off the streets or finds itself without spare parts because the Bhorat Motor Company has filed for bankruptcy.

The issues I am, like you, concerned about is the burden over-regulation would put on smaller companies and the way it would tie the hands of knowledgeable product owners all while probably not even improving the overall security of said devices that, for all practical purposes, in their current state are a gift of $DEITY for the average TLA.

As any kind of regulation in general is purely reactive, I think there's a huge opportunity here for consumer organisations and scandal savvy media to do appealing visual reports exposing such dangerously insecure IoT devices and their vendors to the general public. If done right, I think it would massively contribute to creating awareness not just with the general public, but just as much with politicians who are always keen to jump on a popular bandwagon.

Over here, we have a quite popular TV show that takes the p*ss out of an entire range of consumer products comparing what they promise to what they deliver. It's regularly beyond hilarious as the hosts are really funny people with a keen sense of dark humour, to the anger and despair of vendors whose market share suddenly takes a nose dive. In the EU, of course, we have quite strong consumer rights, and there's a fair chance in the US any such show and its broadcaster would be litigated out of existence.

albertApril 13, 2017 11:57 AM

@Dirk,

"...In the EU, of course, we have quite strong consumer rights, and there's a fair chance in the US any such show and its broadcaster would be litigated out of existence...."

True, but here in the US, we have 1st Amendment rights that allow us to offer our opinions about products, and facts about products that are protected speech. And an active community of lawyers doing pro bono work for defendants involve in nuisance suits.

The only drawback to BrickBots is legality. I don't give a RSA about companies that go belly up when they make crap; that's how a free market works.

@Clive,
How much more does it cost a company to hardcode strong passwords into a product? Or physically protect flash from being overwritten?

. .. . .. --- ....

My InfoApril 13, 2017 12:43 PM

@albert

The only drawback to BrickBots is legality.

I'm not too concerned about that. Someone did me a favor by bricking an insecure-by-design device of already questionable legality that was otherwise being forced down my throat.

Clive RobinsonApril 13, 2017 2:47 PM

@ Albert,

How much more does it cost a company to hardcode strong passwords into a product?

No more than it does weak ones if done at "build time". However hard or strong passwords should never be hadcoded into a product, because they will become known at some point.

One way around the issue is to store the product serial number in EEROM be it AND OR or Flash and on first loging into the device prompt for a password change.

But this is not what "bulk buyers" like ISPs want and as we know "money talks".

Or physically protect flash from being overwritten?

A lot of Flash these days is on silicon inside an SoC where every pin on the package would have a more important task than acting as a write protect line.

But even if it was the cost of putting a "jumper link" on a board that had to be changed on a production line, it would be well over a dollar increase in cost in total...

MApril 13, 2017 3:52 PM

@ Dirk Praet

'Bhorat Motor Company'

Sascha Baren Cohen, the actor playing Borat, has an esteemed psychologist uncle whom diagnosed Lauri Love with aspergers, and presented to the court same

TheDavetatorApril 13, 2017 10:19 PM

@Clive I'm thinking of declaring myself Supreme Benevolent Dictator of the entire planet, possibly Sol System. Care to be an advisor?

Clive RobinsonApril 14, 2017 2:59 AM

@ TheDavetator,

Care to be an advisor?

Hmm maybe, what's the Pay&Perks ;-)

albertApril 15, 2017 11:15 AM

@Clive,

I should have said "hardcoded default randomized passwords"

I don't have a problem with the 'mean what you say' part, but I do sometimes with the 'say what you mean' part.

. .. . .. --- ....

GrauhutApril 17, 2017 8:53 AM

Reminds me of the good old code red jill.c days! :)

Took just some hours to code a script that scanned a snort log for ips.

A simple route del -net default after some defacement in web admin gui html pages would be enough, formatting the flash is overkill.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.